Adding test files to ghas ignore list

[DM-sb]

Hey, I just made a Pull Request!

Adding a regex for test files that can be ignored by GHAS. To see if this will get rid of the false positives.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)
• All your commits have a Signed-off-by line in the message. (more info)

[addersuk]

This is our public fork of Backstage and we have another repo for the internal site.

@DM-sb is it a good idea to disable CodeQL checks on all the test code?

[DM-sb]

Hi @addersuk It depends really on how many false positives you are seeing. If you are inundated with FP because of test files, I think it makes sense to avoid analysing them so you can focus on true positives on the rest of your code instead. With static analysis, it really is a cost-benefit decision imo @ttt23

[tloakthar]

Yes, I don't see much risks in leaving out test files from the CodeQL scans. Alternatively we can mark out these as "Used in tests". I think Github might learn a pattern from such input. We ask Github to see if the workflow supports patterns of test secrets to ignore (like it does for secret scanning).